Separation of duties is an important, real-world requirement that access control models should support. The transaction control expression (TCE) for specifying dynamic separation of duties was previously introduced. The implementation of TCEs in the typed access matrix model (TAM) is considered. It is shown that TAM requires extension for satisfactory handling of dynamic separation of duties. In particular, dynamic separation requires the capability to explicitly test for the absence of rights in cells of the access matrix. It is illustrated how TAM, extended to incorporate such tests, can implement TCEs. The impact of checks for absence of rights on safety analysis is discussed (i.e. the determination of whether or not a given subject can acquire a given right to a given object).
展开▼